[pkg-netfilter-team] Bug#1063769: Segfault on latest stable nftables package on Bullseye

Jordi MORILLO j.morillo at yeswehack.com
Mon Feb 12 14:18:30 GMT 2024


Package: nftables
Version: 0.9.8-3.1+deb11u2

Package: libnftables1
Version: 0.9.8-3.1+deb11u2

Since upgrade of nftables/libnftables1 from 0.9.8-3.1+deb11u1 -> 0.9.8-3.1+deb11u2, nftables segfault with this simple rules:

$ cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
      chain input {
            type filter hook input priority 0;
      }
      chain forward {
            type filter hook forward priority 0;
      }
      chain output {
            type filter hook output priority 0;
      }
}
include "/etc/nftables.conf.d/*.conf"

$ cat /etc/nftables.conf.d/test.conf
table inet filter {
  set test {
    type ipv4_addr
    flags interval
    elements = { 1.2.3.4/32 }
  }
}

# systemctl start nftables -> segfault
# nft -cf /etc/nftables.conf -> segfault

There is no segfault with 0.9.8-3.1+deb11u1 version, only with 0.9.8-3.1+deb11u2 version.

If I move test set on nftables.conf, no problem.
Segfault only occured with set declared inside included file

I'm using a fresh bullseye install, fully up-to-date

Best regards

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-netfilter-team/attachments/20240212/3ebe17e8/attachment.htm>


More information about the pkg-netfilter-team mailing list